Add haproxy and WIP rsyslogd + promtail + prometheus

redxen.eu/config.mk

@@ -168,6 +168,12 @@ redxen.eu/daemons/murmurd/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
 	redxen.eu/data/postgres-cert/murmur/${BUILD_ID_OUT} \
 	redxen.eu/data/selfsigned/${BUILD_ID_OUT}
 
+# Relays
+redxen.eu/daemons/haproxy/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
+	%/main.cfg \
+	redxen.eu/data/letsencrypt/${BUILD_ID_OUT} \
+	redxen.eu/data/haproxy-errpages/${BUILD_ID_OUT}
+
 # Data
 redxen.eu/data/branding/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
 	%/logo.svg

redxen.eu/daemons/haproxy/Containerfile

@@ -0,0 +1,19 @@
+FROM alpine AS preparer
+
+WORKDIR /root
+RUN \
+	--mount=type=bind,from=redxen.eu/data/letsencrypt:latest,src=/redxen.eu,dst=/run/letsencrypt \
+	cat \
+		/run/letsencrypt/certs/public.crt \
+		/run/letsencrypt/certs/ca.crt \
+		/run/letsencrypt/keys/private.key \
+	> full.crt
+
+FROM haproxy:lts-alpine
+
+COPY --from=preparer /root/full.crt /etc/redxen/letsencrypt/full.crt
+COPY --from=redxen.eu/data/haproxy-errpages /root/haproxy-errpages/ /etc/redxen/haproxy/errorpages/
+
+ADD main.cfg /usr/local/etc/haproxy/haproxy.cfg
+
+RUN haproxy -c -f /usr/local/etc/haproxy/haproxy.cfg

redxen.eu/daemons/haproxy/main.cfg

@@ -0,0 +1,146 @@
+global
+	maxconn     2048
+	maxconnrate 40
+
+	log 127.0.0.1:514 local0 info
+
+defaults
+	mode                        http
+
+	log                         global
+
+	retries                     3
+
+	option                      forwardfor
+	option                      http-keep-alive
+	option                      httplog
+	option                      tcp-smart-connect
+	option                      tcpka
+	option                      abortonclose
+
+	balance                     roundrobin
+
+	compression algo            gzip
+
+	timeout     http-request    10s
+	timeout     connect         10s
+	timeout     client          60s
+	timeout     server          240s
+	timeout     http-keep-alive 240s
+
+	default-server resolvers local init-addr libc,none resolve-opts prevent-dup-ip check
+
+	errorfile 400 /etc/redxen/haproxy/errorpages/400.http
+	errorfile 403 /etc/redxen/haproxy/errorpages/403.http
+	errorfile 408 /etc/redxen/haproxy/errorpages/408.http
+	errorfile 500 /etc/redxen/haproxy/errorpages/500.http
+	errorfile 502 /etc/redxen/haproxy/errorpages/502.http
+	errorfile 503 /etc/redxen/haproxy/errorpages/503.http
+	errorfile 504 /etc/redxen/haproxy/errorpages/504.http
+
+resolvers local
+	nameserver unbound   127.0.0.1:53
+
+	resolve_retries      2
+
+	timeout    retry     300ms
+
+	hold       other     100ms
+	hold       refused   100ms
+	hold       nx        100ms
+	hold       timeout   3s
+	hold       valid     60s
+
+listen git-gitea
+	mode tcp
+	bind ipv4@*:2442,ipv6@*:2442
+	option tcp-check
+	server-template gitssh 1 _gitssh._tcp.routinginfo.internal
+
+frontend metrics
+	mode http
+	bind ipv4@:7581,ipv6@:7581
+
+	http-request use-service prometheus-exporter if { path /metrics }
+
+frontend http
+	mode http
+	bind ipv4@:443,ipv6@:443 ssl crt /etc/redxen/letsencrypt/full.crt alpn h2,http/1.1
+	bind ipv4@:80,ipv6@:80
+
+	http-response set-header X-Forwarded-Proto https
+	http-response set-header X-XSS-Protection 1;\ mode=block
+	http-response set-header X-Content-Type-Options nosniff
+	http-response set-header Referrer-Policy no-referrer-when-downgrade
+	http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubDomains;\ preload
+
+	acl root path /
+
+	acl home      hdr_beg(host) -i          redxen
+	acl stats     hdr_beg(host) -i    stats.redxen
+	acl fedi      hdr_beg(host) -i   social.redxen
+	acl git       hdr_beg(host) -i      git.redxen
+	acl btdown    hdr_beg(host) -i       sd.redxen
+	acl btdaemon  hdr_beg(host) -i     seed.redxen
+	acl packs     hdr_beg(host) -i packages.redxen
+	acl cal       hdr_beg(host) -i      cal.redxen
+
+	redirect location https://en.uncyclopedia.co/wiki/South_Africa code 302 if fedi
+	redirect prefix /web code 302 if btdaemon root
+
+	use_backend backend-home         if home
+	use_backend backend-stats        if stats
+	#use_backend backend-fedi        if fedi
+	use_backend backend-git          if git
+	use_backend backend-btdown       if btdown
+	use_backend backend-btdaemon     if btdaemon
+	use_backend backend-packages     if packs
+	use_backend backend-radicale     if cal
+	# Fallback to wssproxy to bypass SNI/domain filters
+	use_backend backend-wssproxy
+
+backend backend-home
+	server-template root 1 _root._tcp.routinginfo.internal
+	option httpchk HEAD / HTTP/1.1
+	http-check send hdr Host redxen.eu
+
+backend backend-stats
+	server-template grafana 2 _grafana._tcp.routinginfo.internal
+	option httpchk HEAD / HTTP/1.1
+	http-check send hdr Host stats.redxen.eu
+
+#backend backend-fedi
+#	server-template pleroma 1 _pleroma._tcp.routinginfo.internal
+#	option httpchk HEAD / HTTP/1.1
+#	http-check send hdr Host social.redxen.eu
+
+backend backend-git
+	server-template gitea 1 _gitea._tcp.routinginfo.internal
+	option httpchk GET /caskd/corelibs HTTP/1.1
+	http-check send hdr Host gitea.redxen.eu
+	timeout check 10s
+
+backend backend-btdown
+	server-template seedown 1 _seedown._tcp.routinginfo.internal
+	option httpchk HEAD / HTTP/1.1
+	http-check send hdr Host sd.redxen.eu
+
+backend backend-btdaemon
+	server-template transmission 1 _transmission._tcp.routinginfo.internal
+
+backend backend-packages
+	server-template packages 1 _packages._tcp.routinginfo.internal
+	option httpchk HEAD / HTTP/1.1
+	http-check send hdr Host packages.redxen.eu
+
+backend backend-radicale
+	server-template radicale 1 _radicale._tcp.routinginfo.internal
+	option httpchk HEAD / HTTP/1.1
+	http-check send hdr Host cal.redxen.eu
+	http-check expect status 401
+
+backend backend-wssproxy
+	server-template wssproxy 1 _wssproxy._tcp.routinginfo.internal
+	option httpchk HEAD / HTTP/1.1
+	http-check send hdr Host localhost
+	http-check expect status 404

redxen.eu/daemons/nsd/nsd.conf

@@ -1,5 +1,4 @@
 server:
-        server-count: 4
         database: ""
         username: ""
         logfile: "/dev/stdout"

redxen.eu/daemons/prometheus/config.yaml

@@ -1,5 +1,5 @@
 global:
-        scrape_interval: 5s
+        scrape_interval: 10s
 
 scrape_configs:
         - job_name: "linux"
@@ -26,3 +26,19 @@ scrape_configs:
           dns_sd_configs:
                 - names: [ 'ceph.prometheus.routinginfo.internal' ]
                   type: 'SRV'
+        - job_name: "libvirt"
+          dns_sd_configs:
+                - names: [ 'libvirt.prometheus.routinginfo.internal' ]
+                  type: 'SRV'
+        - job_name: "smartctl"
+          scrape_interval: 1m # Less important and also takes longer to query
+          scrape_timeout: 30s # Handle scraping delays
+          dns_sd_configs:
+                - names: [ 'smartctl_exporters.prometheus.routinginfo.internal' ]
+                  type: 'SRV'
+        - job_name: "ipmi"
+          scrape_interval: 1m # Less important and also takes longer to query
+          scrape_timeout: 30s # Handle scraping delays
+          dns_sd_configs:
+                - names: [ 'ipmi.prometheus.routinginfo.internal' ]
+                  type: 'SRV'

redxen.eu/daemons/promtail/Containerfile

@@ -0,0 +1,10 @@
+FROM alpine:latest
+
+RUN --network=host apk add \
+	loki-promtail
+
+WORKDIR /etc/redxen/promtail/
+
+ADD config.yaml config.yaml
+
+CMD ["promtail", "-config.file=config.yaml"]

redxen.eu/daemons/promtail/config.yaml

@@ -0,0 +1,26 @@
+server:
+        disable: true
+
+clients:
+        - url: "http://loki.routinginfo.internal:7553/loki/api/v1/push"
+
+positions:
+        filename: "/tmp/positions.yaml"
+
+scrape_configs:
+         - job_name: "rsyslog"
+           syslog:
+                listen_address: localhost:7590
+                use_incoming_timestamp: true
+                label_structured_data: yes
+                labels:
+                        job: "rsyslog"
+           relabel_configs:
+                - source_labels: ["__syslog_connection_ip_address"]
+                  target_label: "ip_address"
+                - source_labels: ["__syslog_message_severity"]
+                  target_label: "severity"
+                - source_labels: ["__syslog_message_facility"]
+                  target_label: "facility"
+                - source_labels: ["__syslog_message_hostname"]
+                  target_label: "host"

redxen.eu/daemons/promtail/runner.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+podman create \
+	--replace \
+	--read-only \
+	--network=host \
+	--name promtail \
+	-v '/etc/resolv.conf:/etc/resolv.conf:ro' \
+	redxen.eu/daemons/promtail:latest

redxen.eu/daemons/rsyslogd/Containerfile

@@ -0,0 +1,5 @@
+FROM alpine
+
+RUN --network=host apk add rsyslog
+
+ADD rsyslogd.conf /etc/rsyslog/rsyslogd.conf

redxen.eu/daemons/rsyslogd/rsyslogd.conf

@@ -0,0 +1,26 @@
+$WorkDirectory /var/lib/rsyslog
+$FileOwner root
+$FileGroup adm
+$FileCreateMode 0640
+$DirCreateMode 0755
+$Umask 0022
+$AbortOnUncleanConfig on
+
+#### Modules ####
+
+# Provides --MARK-- message capability.
+module(load="immark")
+
+# Provides support for local system logging (e.g. via logger command).
+module(load="imuxsock")
+
+# Reads kernel messages.
+module(load="imklog")
+
+# Accepts messages via udp.
+module(load="imudp")
+input(type="imudp" port="514")
+
+# Relay logs to promtail
+module(load="omprog")
+action(type="omfwd" Protocol="tcp" Target="127.0.0.1" Port="7590" Template="RSYSLOG_SyslogProtocol23Format" TCP_Framing="octet-counted")

redxen.eu/data/haproxy-errpages/Containerfile

@@ -0,0 +1,5 @@
+FROM alpine
+
+WORKDIR /root
+RUN --network=host apk add git
+RUN --network=host git clone https://git.redxen.eu/RedXen/haproxy-errpages